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Rogue APs are not new! 

Just a different way to think about it 



Not something found in an office 



environment 
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What else is in a typical 
office environment that 
should be connected to a 
network 

Leave out the obvious - PCs 
and Laptops 

Now with more evil, more 
bastard! 
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LaFonera - FON 









Supports OpenWRT 




r 




'» ■ - ■ Y. " 



Help desk, my device is not functioning 

How do we make the AP and device 
function? 



We need more ports! 




nsert one hub. 
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Keep host device functional 

Size 

NAC 

Sacrificial Device 
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And more... 




To make our device small, we need to have 
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Move/remove all ethernet ports and power 
connectors (too big!). Lay down capacitors 
where needed. 



Trim boards, and jumper the bits we remove 



Ethernet for La Fonera, and for host! 





One of the most difficult portions 



Electrically isolated 






Port removal and disassembly! 
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Power 






Fon needs 5v DC, Hub need 5v DC 
Don't want extra cables 
Find "vampire power" internally 
Matching voltage? 



The NEW La Fonera! -The FON+ 
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Wireless 
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Our own config, high risk 



Similar to corporate config, moderate risk 
Identical to corporate config, low risk 
Timed config change, moderate/low risk 
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Now that we have our requirements... 
What can we find in an office environment? 



Time to add the more evil and more 
bastard! 



One of the most ubiquitous pieces of tech 
in most offices 




Let's start with the beginning: the HP MIO 










Look ma, plenty of room! 
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HP's upgrade to MIO - EIO! 



This is where the real creative soldering/ 
cutting comes in... 
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More ethernet! 






About EIO form factor 
Canon, amongst others 
Print, Copy 
Network Scan and Fax! 
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UL 508 Listed/ Industrial Control Equipment 

C-UL Listed, CSA 22.2 No. 14-M91, 
Industrial Control Equipment 

UL 1604 Listed, CSA Standard C22.2 No. 
21 3- Ml 987, Non-Incentive Electrical 
Equipment for use in Class I, Division % 
Hazardous Locations (Groups A, B, C, 0} 

UL 864 Recognized Component Control Units 
for Fire- Protective Signalling Systems 
(EIS8-100T and EI56-100T/FT only) 
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You can count on it 
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Search Google 
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Hmmm 
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The insides 



2 Ethernet ports 
Power via POE 














802.3af requires special signaling 

What about down stream after all that has 



been done for us? 



■ 




■Ml 


[V| 


■1 


L^T^J 


[• 


T*» 


ft 










> r J§J ^* 





"a *v 





i 






— , M 



But Larry, those phones are in a "secure 
area! 



Locked door, restricted, supervised access 
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...even this 





can turn into this 





But what about. 
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We've covered a bunch of office 
technology. 

But what about wireless APs!? 




Loads of APs available 
Too many to discuss 
A few I've seen recently 





Plenty of items in an office environment to 
deconstruct 

Often great places for APs 

How many will find a device that looks and 
acts just like it is supposed to, but with a 
surprise? 



Use OpenWRT to create aWDS (or WET) 






Bridge AP to wireless, connect via same/ 
times wireless 

Hide it 

77777 



Profit!? 



If it has power, we can tap it 
There's always a battery! 
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These do rely on WDS or bridging wireless 
Small battery? In some cases yes. 




1960's CIA project 



"They slit the cat open, put batteries in him, wired him up. The tail was 
used as an antenna. They made a monstrosity. They tested him and 
tested him. They found he would walk off the job when he got hungry, 
so they put another wire in to override that. Finally, they re ready. They 
took it out to a park bench and said "Listen to those two guys. Don t 
listen to anything else - not the birds, no cat or dog -just those two 
guys!" ... They put him out of the van, and a taxi comes and runs him 
over. There they were, sitting in the van with all those dials, and the 
cat was dead!" - Victor Marchetti 



Early field trials: 
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Priceless. 
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1 Regular scanning - Kismet & laptop 

Fixed scanning - Kismet &WRT54G 

Wired side scanning - RogueScanner, nessus 

Distributed scanning -Thin APs (Cisco, 
Aruba, Trapeze) 

1 Combine that with Inventory Management 
and Corporate Policy 
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Any Questions? 
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